Describing the SAP Security Base

An SAP Security Baseline is a regulation establishing minimum security requirements for all SAP systems in your organization.

"Baseline" means: These requirements must be fulfilled by all SAP systems regardless of any risk assessments. They are general best practices and apply to all systems, irrespective of their security level.

To identify potential needs beyond this baseline security level for specific systems, an assessment must be conducted on which systems require an additional explicit risk analysis, for example, because they are of a particular criticality or nature. For such systems, a further risk analysis must be conducted, and corresponding countermeasures to the identified risks must be individually developed and applied.

An SAP Security Baseline is typically derived from several sources:

• Recommendations from SAP, for example, from SAP security services like the security chapter of the EarlyWatch Alert (or note 863362) or the SAP Security Optimization Service.
• Documentation from SAP, for example, the product-specific Security Guides on the SAP Help Portal, Security Whitepapers, or Security Notes.
• Organization-specific guiding documents, like an overall Security Policy or an IT Security Policy, must be respected.
• More requirements or deviations are explicitly decided by Security Consultants/Auditors.

The overview of the typical approach is as follows:

1. SAP security services, for example, the security chapter of the EarlyWatch Alert or the SAP Security Optimization Service, help compare exemplary systems against SAP recommendations and derive corresponding general requirements for all SAP systems.
2. SAP system-specific input and requirements are derived from internal governing or guiding sources, such as general security policies or specific decisions on certain topics.
3. A company-specific SAP Security Baseline is built based on the input from internal sources and SAP.
4. The regulations in this SAP Security Baseline can then be transformed into a technical representation of the to-be status for SAP systems. So-called "Target Systems" cover this in the SAP Solution Manager's application configuration validation.
5. In operations, the SAP systems can continuously be monitored for compliance with the SAP Security Baseline, for example, by using the application Configuration Validation. This allows for a cross-system overview of selected technical aspects, like the security configuration or critical authorizations. These results can be evaluated within Configuration Validation and used in SAP Solution Manager-based dashboards, Monitoring and Alerting Infrastructure in Solution Manager, and risk management tools like SAP GRC Process Control.

Organizations can use the SAP Security Baseline Template, a document provided by SAP on how an organization-specific SAP Security Baseline could be structured for a customer landscape (mostly On-Premise, but also for hybrid setups). It is prefilled with selected baseline-relevant requirements and corresponding concrete values, as SAP recommends.

For more information, refer to SAP Note 2253549 for the latest product-specific Security Recommendations.

SAP is committed to delivering trustworthy products and cloud services. Secure configuration is essential to ensuring safe operations and data integrity. Therefore, SAP has documented recommendations to help configure the best security for their SAP portfolio.

The following security recommendation guides for SAP products and cloud services enhance with further products.

• SAP Business Technology Platform
• SAP S/4HANA Cloud
• SAP SuccessFactors
• SAP Ariba
• SAP Concur
• SAP Fieldglass
• SAP Commissions
• SAP Analytics Cloud
• SAP Integrated Business Planning for Supply Chain (SAP IBP)
• SAP Cloud for Customer
• SAP Data Intelligence
• SAP Configure Price Quote (SAP CPQ)